0

Take for example a game. Typically, when you buy or download a game that can be played offline, all of the data required to run the game is shipped with the executable. In order to protect these resources, developers use various protection methods such as passwords, encryption, compression, file archives, anti-debuggers, and so on. Of course, most (if not all) of these can be reverse engineered if someone was to spend enough time and effort on it.

I've been looking at different online games and have found that browser-based games tend to be much more secure when it comes to unauthorized data access. This is because (when feasible) a resource is only sent to the client when it is requested, and an ideal URI typically uses a random string that is both unfeasible to guess and impossible to reverse engineer.

For example, suppose I have an image called "duck.png". I then rename it to a random 64-character string, perhaps randomly pounding away at the keyboard. Unless you are incredibly lucky, you won't be able to guess that. You could add additional security measures, such as making it so that if an IP attempts to request an invalid resource more than, say, 100 times, the server automatically suspends them for some period of time.

Assuming security is properly set up on a server (proper access control, secured API's that properly checks requests before processing them, consistent use of the random strings), can I be confident that the only way an outsider would be able to access this resource is through legitimate means, such as playing the game?

Or are there techniques that adversaries can use to gain access (easily) to the resources that I'm trying to protect? I'm assuming that gaining unauthorized access to a server is not an easy task because the server is secured.

Steven Volckaert
  • 1,193
  • 8
  • 15
MxLDevs
  • 313
  • 1
  • 2
  • 8
  • And how are these random strings generated? Client side? – Lucas Kauffman Apr 18 '14 at 05:56
  • I have a simple way to get access to `duck.png` - I grab it from a site which logs all resources encountered (Essentially, just a regular pirate site). Ubisoft tried something similar to "only send when needed" with some of it's games - it just delayed things a little until hackers figured out how to create a dummy server. If you distribute a resource, it _will_ be passed on to unanticipated 3rd parties. Therefore, the only ~permanent way to avoid this is to **not** distribute it... hence server-based games (MMOs, social gaming, cloud game servers...) – Clockwork-Muse Apr 18 '14 at 13:50
  • @LucasKauffman When the resource is required, it will be sent to the client. So if you need the duck, the server knows that you are in a situation where you need the duck, so it'll send the random string beforehand. Because the string is truly random, there is no way to deterministically generate it. – MxLDevs Apr 18 '14 at 16:27
  • @Clockwork-Muse Do you have a reference to the ubisoft case? I'm not sure how a dummy server would be accomplished. However, would a dummy server know about the random strings used for URI's? – MxLDevs Apr 18 '14 at 16:31
  • There's news [in several blogs](http://www.tomshardware.com/news/assassins-creed-crack-hack-drm-ac2,10260.html), and the top google results are actually for the server torrent. I thought I saw something about the game needing to download additional data, but given the size of the installs this is likely incorrect. The net effect in your case is identical, though; essentially the application is asking for _some_ data (in AC2's case, essentially a simple Boolean), so a local server is written to host it. Besides the original pirate, nobody talks to your server. – Clockwork-Muse Apr 18 '14 at 22:36
  • @Clockwork-Muse Thanks, I wasn't sure which games they were using the server-based DRM for. Though for the most part, it looks like AC2 was limited to save files. A lot of browser games, 2D in particular, can handle sending you audio, graphics, etc. when you need them. This means that if there was some super secret item that required you to pay $100 for, someone would have to have paid $100 before it was leaked. It seems like server-based distribution is the way to go. – MxLDevs Apr 19 '14 at 00:06
  • #ahem# - you've missed my point; if the resource being paid for is something that's simply distributed (say, a special image), only **one** person needs to pay for it. This is essentially the problem movie/music producers have run into. Once one person has it, they can give it to others. MMOs and social games _aren't_ distributing anything - their server code and interaction with other users. That fancy hat in TF2? Sure, the _art_ is present on your machine, but it's the **server** which says which player has it, so nobody else gets to see you with it. – Clockwork-Muse Apr 19 '14 at 00:33

1 Answers1

1

Assuming security is properly set up on a server (proper access control, secured API's that properly checks requests before processing them, consistent use of the random strings), can I be confident that the only way an outsider would be able to access this resource is through legitimate means, such as playing the game?

No.

Is a properly built (and secured) house/building secure against unauthorized access? No!

There are no absolutes.

SPRBRN
  • 7,379
  • 6
  • 33
  • 37
  • Can you elaborate on why it is not secure against unauthorized access aside from someone physically going there and breaking into the building, or hacking into the servers (which has occurred numerous times apparently given the various news about databases being hacked into)? – MxLDevs Apr 18 '14 at 16:32
  • You want to be confident that there is only one way an outsider can get access to your content. There is no such guarantee. – SPRBRN Apr 18 '14 at 18:03